Privacy Policy

1. Information We Collect

One Line Loop collects minimal data necessary to provide our service:

Account Information

• Email address: Required for authentication and daily email delivery
• Password: Encrypted and stored securely by Firebase Authentication
• Display name: Optional, collected from Google sign-in if used
• Account creation date: For service management

Usage Data

• Daily entries: Your one-line responses (≤120 characters each) - encrypted before storage
• Timezone preference: To schedule daily prompts at 8:00pm local time
• Streak data: Current and best streak counts, last entry date
• Entry timestamps: When entries were created and last updated
• Entry source: Whether entered via web or email reply
• Encryption keys: Client-side generated encryption keys for securing your entries

Email Data

• Email delivery status: Whether daily prompts were sent successfully
• Email events: Opens, clicks, bounces, spam reports (via Mailjet)
• Reply processing: Inbound email parsing and validation
• Email headers: Minimal headers for reply processing

Payment Information

• Subscription status: Active plan and billing cycle
• Stripe customer ID: For billing management
• Payment processing: Handled entirely by Stripe (we don't store payment details)

2. How We Use Your Information

We use your data solely to provide the One Line Loop service:

• Send daily email prompts at your preferred time
• Process and store your daily entries
• Calculate and display your streak statistics
• Provide access to your entry history
• Manage your subscription and billing
• Ensure email deliverability and handle bounces
• Provide customer support when needed

3. Data Storage and Security

Your data is stored securely using industry-standard practices:

• Firebase/Firestore: Google's secure cloud database with encryption at rest
• Authentication: Firebase Auth with secure password hashing
• Access control: Firestore security rules ensure users can only access their own data
• Email processing: Mailjet handles email delivery with industry-standard security
• Payment processing: Stripe handles all payment data with PCI compliance

4. End-to-End Encryption

Your daily entries are protected with client-side encryption:

• Client-side encryption: Your entries are encrypted in your browser before being sent to our servers
• Zero-knowledge architecture: We cannot read your entries - only you can decrypt them
• Encryption keys: Generated locally on your device and never transmitted to our servers
• Algorithm: Uses TweetNaCl (NaCl) cryptographic library for secure encryption
• Key management: Your encryption keys are stored locally and tied to your account
• Email replies: When you reply via email, entries are encrypted before storage

Privacy by Design: This means even if our servers were compromised, your personal entries would remain unreadable to anyone without your device and account access.

5. Data Sharing

We do not sell, rent, or share your personal information with third parties except:

• Service providers: Firebase (Google), Stripe, and Mailjet as necessary to provide the service
• Legal requirements: When required by law or to protect our rights
• Business transfers: In the event of a merger or acquisition (with notice)

We never share your daily entries or personal content with other users or third parties.

6. Data Retention

We retain your data as follows:

• Account data: Until you delete your account
• Daily entries: Until you delete your account
• Email logs: 90 days for deliverability monitoring
• Payment records: As required by law and Stripe's policies

7. Your Rights

You have the right to:

• Access: View all data we have about you
• Correction: Update your account information
• Deletion: Delete your account and all associated data
• Portability: Export your entries in a readable format
• Opt-out: Disable email notifications

To exercise these rights, contact us at hello@onelineloop.xyz

8. Cookies and Tracking

We use minimal tracking:

• Firebase Auth: Session cookies for authentication
• No analytics: We don't use Google Analytics or similar tracking
• No advertising: We don't show ads or track for advertising purposes
• Email tracking: Basic open/click tracking via Mailjet for deliverability

9. International Data Transfers

Your data may be processed in:

• Australia: Primary service location
• United States: Firebase, Stripe, and Mailjet servers
• European Union: Some Firebase regions

All transfers are protected by appropriate safeguards and service provider agreements.

10. Children's Privacy

One Line Loop is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will delete it immediately.

11. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Significant changes will be communicated via email to active subscribers.

12. Contact Us

If you have questions about this privacy policy or our data practices, contact us at:

Email: hello@onelineloop.xyz